From a86491eeed13c7889356e5102312f52bd86c3c66 Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Thu, 27 Aug 2015 18:37:16 +0200 Subject: [PATCH] Revert "unify SSL version/method handling" This reverts commit 14e49f4fc7a38b63099ab0d42afd213b0d567c0f. --- libmproxy/proxy/config.py | 69 +++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 25 deletions(-) diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py index 830302353..f438e9c22 100644 --- a/libmproxy/proxy/config.py +++ b/libmproxy/proxy/config.py @@ -49,11 +49,11 @@ class ProxyConfig: ciphers_client=None, ciphers_server=None, certs=[], - ssl_version_client=tcp.SSL_DEFAULT_METHOD, - ssl_version_server=tcp.SSL_DEFAULT_METHOD, + ssl_version_client="secure", + ssl_version_server="secure", ssl_verify_upstream_cert=False, ssl_upstream_trusted_cadir=None, - ssl_upstream_trusted_ca=None + ssl_upstream_trusted_ca=None, ): self.host = host self.port = port @@ -76,14 +76,10 @@ class ProxyConfig: for spec, cert in certs: self.certstore.add_cert_file(spec, cert) - if isinstance(ssl_version_client, int): - self.openssl_method_client = ssl_version_client - else: - self.openssl_method_client = tcp.SSL_VERSIONS[ssl_version_client] - if isinstance(ssl_version_server, int): - self.openssl_method_server = ssl_version_server - else: - self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server] + self.openssl_method_client, self.openssl_options_client = version_to_openssl( + ssl_version_client) + self.openssl_method_server, self.openssl_options_server = version_to_openssl( + ssl_version_server) if ssl_verify_upstream_cert: self.openssl_verification_mode_server = SSL.VERIFY_PEER @@ -92,8 +88,33 @@ class ProxyConfig: self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir self.openssl_trusted_ca_server = ssl_upstream_trusted_ca - self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS - self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS + +sslversion_choices = ( + "all", + "secure", + "SSLv2", + "SSLv3", + "TLSv1", + "TLSv1_1", + "TLSv1_2") + + +def version_to_openssl(version): + """ + Convert a reasonable SSL version specification into the format OpenSSL expects. + Don't ask... + https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3 + """ + if version == "all": + return SSL.SSLv23_METHOD, None + elif version == "secure": + # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+ + # TLSv1_METHOD would be TLS 1.0 only + return SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) + elif version in sslversion_choices: + return getattr(SSL, "%s_METHOD" % version), None + else: + raise ValueError("Invalid SSL version: %s" % version) def process_proxy_options(parser, options): @@ -254,18 +275,16 @@ def ssl_option_group(parser): help="Path to a PEM formatted trusted CA certificate." ) group.add_argument( - "--ssl-version-client", dest="ssl_version_client", type=str, default=tcp.SSL_DEFAULT_VERSION, - choices=tcp.SSL_VERSIONS.keys(), - help="""" - Use a specified protocol for client connections: - TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23. - Default to SSLv23.""" + "--ssl-version-client", dest="ssl_version_client", + default="secure", action="store", + choices=sslversion_choices, + help="Set supported SSL/TLS version for client connections. " + "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure." ) group.add_argument( - "--ssl-version-server", dest="ssl_version_server", type=str, default=tcp.SSL_DEFAULT_VERSION, - choices=tcp.SSL_VERSIONS.keys(), - help="""" - Use a specified protocol for server connections: - TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23. - Default to SSLv23.""" + "--ssl-version-server", dest="ssl_version_server", + default="secure", action="store", + choices=sslversion_choices, + help="Set supported SSL/TLS version for server connections. " + "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure." )